Re: <victim>server formmail.pl exploit in the wild
From: mike maxwell (mmaxwell@gmavt.net)Date: 04/12/02
- Previous message: Robert Buckley: "Possible DOS?"
- In reply to: Justin Shore: "Re: <victim>server formmail.pl exploit in the wild"
- Next in thread: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
- Next in thread: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Apr 2002 15:11:39 -0400 From: mike maxwell <mmaxwell@gmavt.net> To: Justin Shore <macdaddy@neo.pittstate.edu>
formmail 1.9 is vulnerable...we were just hit by it.....many messages went out
before we causght it ......supposedly the version at
http://www.monkeys.com/anti-spam/filtering/formmail.html
takes care of the problem.......:-(
Justin Shore wrote:
> One of my servers had an old copy of formmail.cgi on it (1.6) a few weeks
> ago which got that server listed in SpamCop. Every single malicious use
> of that cgi came from pacbell.net DSL customers. Since upgrading to 1.9
> we haven't had any trouble, yet <knock on wood>. I would rather find a
> PHP solution for form handling.
>
> Justin
>
> On 4/11/02 6:06 PM Andrew Daviel said...
>
> >
> >I've seen an attempt to exploit FormMail.pl version 1.9 (the latest
> >official version), viz.
> >
> >Tue Apr 9 15:40:50 2002
> >REMOTE_ADDR=172.190.98.15
> >REQUEST_METHOD=POST
> >REMOTE_PORT=2768
> >HTTP_CACHE_CONTROL=no-cache
> >REQUEST_URI=/cgi-bin/formmail.pl
> >CONTENT_TYPE=application/x-www-form-urlencoded
> >CONTENT_LENGTH=2153
> >Count 1
> >.
> >
> >We will show you how to not only make money online,
> >..
> >subject academics NyZ0f
> >recipient
> ><a2888@hotmail.com>vancouver-webpages.com,<a28dan@msn.com>vancouver-webpag
> >es.com,
> >etc.
> >
> >as per
> >http://online.securityfocus.com/archive/1/252232
> >
> >I have also seen an extensive credit card fraud spam campaign aimed at AOL
> >users exploiting the earlier vulnerability in FormMail.pl version 1.6
> >
> >
> >Andrew Daviel, TRIUMF, Canada
> >Tel. +1 (604) 222-7376
> >security@triumf.ca
> >
> >
> >----------------------------------------------------------------------------
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
>
> --
> Justin Shore, ES-SS ES-SSR Pittsburg State University
> Network & Systems Manager Kelce 157Q
> Office of Information Systems Pittsburg, KS 66762
> Voice: (620) 235-4606 Fax: (620) 235-4545
> http://www.pittstate.edu/ois/
>
> Warning: This message has been quadruple Rot13'ed for your protection.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
-- Mike Maxwell System Manager--GMA mmaxwell@gmavt.net ****************************************************---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Robert Buckley: "Possible DOS?"
- In reply to: Justin Shore: "Re: <victim>server formmail.pl exploit in the wild"
- Next in thread: Robert Zilbauer: "RE: <victim>server formmail.pl exploit in the wild"
- Next in thread: Noel Rosenberg: "Re: <victim>server formmail.pl exploit in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
